Address Patient Privacy, Authority, and Security Concerns

The privacy and security of electronic health information is a shared responsibility of public health and healthcare facilities in outbreak investigations, including those involving HAIs. Early conversations between public health officials and healthcare facility staff should address concerns about public health authority, patient privacy, and the secure transfer and storage of patient information to ensure the information is appropriately protected.

Patient Privacy

The Federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule establishes protection for health information while also allowing certain uses for public health purposes. Healthcare facilities may share protected health information with a public health authority without the patient’s authorization if the information is needed to prevent or control disease. Public health officials consistently reported perceived HIPAA barriers as a reason healthcare facilities were hesitant to provide health departments with access to patient information. Understanding and making the public health exemption of HIPAA available to healthcare facilities helps to overcome barriers to access during outbreaks.

Public health officials rely on delegated authority, that is, through their state health code to access medical information. Healthcare facilities sometimes challenge or ask for proof of that authority, even after being informed of public health authority. Healthcare facilities may want to withhold certain patient information because of concerns about patient privacy. To help overcome this challenge, some health departments have developed standardized letters to address healthcare facilities’ concerns by identifying state laws and the HIPAA exceptions that grant the health department access to patient health information in the healthcare facilities’ EHRs.

– Health Department Staff

Healthcare facilities’ concerns about data security

Some health departments faced challenges when accessing medical records because healthcare facilities were concerned about the health department's ability to view the entire patient record, including information that was not part of the outbreak investigation. In some cases, healthcare facilities restricted access to certain aspects of the patient's health information (e.g., mental health, obstetrics) in the EHR to maintain patient privacy. Additionally, some health department staff also mentioned that healthcare facilities could audit what information was accessed as a way to monitor the health department’s access and use of EHRs. To help build trust, and communicate clearly with full transparency, health departments should be specific with healthcare facilities and outline what parts of the EHR they will need access to and why.

Questions and concerns about the security of patient health information (transmission and storage) can also be a concern for healthcare facilities when health departments access and use EHRs. Health departments identified when they are onsite at the healthcare facility, they use personalized passwords, encrypted computers, and locked briefcases to transfer and store patient health information. When accessing EHRs from remote locations, the health department used secure personalized passwords, secure file transfer and secure storage mechanisms.

Communicate the need for the data clearly, and develop documents to prepare for an outbreak investigation

This toolkit is not intended to serve as legal advice. We recommend seeking the advice of an attorney or other qualified professional with questions regarding the application of law to a specific circumstance.

State Examples

Michigan and Minnesota use letters and reminders about HIPAA and the disclosure of protected health information for prevention and control under the public health code

Kansas regulations require staff “engaged in the collection, handling, and dissemination of healthcare data” in the health department’s database to be informed of data protection responsibilities, accountability, and consequences for breaches, such as termination of employment (Kan. Admin. Regs. § 28-67-8). Additionally, Kansas has provisions on system security (Kan. Admin. Regs. § 28-67-9).

Virginia prohibits disclosure or re­disclosure of patient health information unless permitted by state law or HIPAA provisions relating to the privacy of electronic transmission of data (Va. Code Ann. § 32.1-127.1:03).

New Hampshire public health officials discuss the delicate balancing act they confronted in seeking patient health information without specific patient consent during a hepatitis C outbreak.

Click on the link to the state legislative home page, then copy the legislative code number into the search or section look up field.

Data Use Agreements

Michigan and Virginia have Data Use and Confidentiality Agreements in place with hospitals. Michigan also has an addendum that addresses use of information for data validation.

New York City uses Department of Health Data Use and Reciprocal Support Agreement (DURSA) to create data use agreements about EHR use with healthcare facilities in their jurisdiction

Virginia uses Business Associates Agreements (BAAs) to create data agreements about EHR use with healthcare facilities in their state